Network Working Group D. McDonald
Request for Comments: 1751 NRL
Category: Informational December 1994
A Convention for Human-Readable 128-bit Keys
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
the memo is unlimited.
Introduction
The Internet community has begun to address matters of security.
Recent standards, including version 2 of SNMP [GM93], have explicit
requirements for an authentication mechanism. These require use of a
keyed message-digest algorithm, MD5 [Riv92], with a key size of 128-
bits. A 128-bit key, while sufficiently strong, is hard for most
people to read, remember, and type in. This memo proposes a
convention for use with Internet applications & protocols using 128-
bit cryptographic keys.
A Solution Already Exists
The S/Key(tm) one-time password system [Hal94] uses MD4 (and now MD5,
as well) to compute one-time passwords. It takes the 128-bit result
of MD4 and collapses it to a 64-bit result. Despite the size
reduction, 64-bit one-time passwords are still difficult for ordinary
people to remember and enter. The authors of S/Key devised a system
to make the 64-bit one-time password easy for people to enter.
Their idea was to transform the password into a string of small
English words. English words are significantly easier for people to
both remember and type. The authors of S/Key started with a
dictionary of 2048 English words, ranging in length from one to four
characters. The space covered by a 64-bit key (2^64) could be
covered by six words from this dictionary (2^66) with room remaining
for parity. For example, an S/Key one-time password of hex value:
EB33 F77E E73D 4053
would become the following six English words:
TIDE ITCH SLOW REIN RULE MOT
McDonald [Page 1]

RFC 1751 Human-Readable 128-bit Keys December 1994
Because of the need for interoperability, it is undesirable to have
different dictionaries for different languages. Also, the current
dictionary only uses characters from the invariant portion of ISO-
646. Finally, there is an installed base of users and applications
with this dictionary.
The Proposal
The code (see Appendix A) which S/Key uses to convert 64-bit numbers
to six English words contains two primitives which perform
conversions either way. The primitive btoe(char *engout,char *c)
takes a 64-bit quantity referenced by c and places English words in
the string referenced by engout. The primitive etob(char *out,char
*e) performs the opposite with an input string of English words
referenced by e, and by placing the 64-bit result into the buffer
referenced by out.
The aforementioned primitives can be applied to both halves of a
128-bit key, or both halves of a string of twelve English words. Two
new primitives (see Appendix B), key2eng(char *engout,char *key) and
eng2key(char *keyout,char *eng) serve as wrappers which call the
S/Key primitives twice, once for each half of the 128-bit key or
string of twelve words.
For example, the 128-bit key of:
CCAC 2AED 5910 56BE 4F90 FD44 1C53 4766
would become
RASH BUSH MILK LOOK BAD BRIM AVID GAFF BAIT ROT POD LOVE
Likewise, a user should be able to type in
TROD MUTE TAIL WARM CHAR KONG HAAG CITY BORE O TEAL AWL
as a key, and the machine should make the translation to:
EFF8 1F9B FBC6 5350 920C DD74 16DE 8009
If this proposal is to work, it is critical that the dictionary of
English words does not change with different implementations. A
freely redistributable reference implementation is given in
Appendices A and B.
McDonald [Page 2]

RFC 1751 Human-Readable 128-bit Keys December 1994
Security Considerations
This document recommends a method of representing 128-bit keys using
strings of English words. Since the strings of English words are
easy to remember, people may potentially construct easy-to-guess
strings of English words. With easy-to-guess strings comes the
possibility of a sentential equivalent of a dictionary attack. In
order to maximize the strength of any authentication mechanism that
uses 128-bit keys, the keys must be sufficiently obscure. In
particular, people should avoid the temptation to devise sentences.
Acknowledgements
S/Key is a registered trademark of Bell Communications Research.
Thanks to Randall Atkinson for the bulk of the security
considerations section, and for general advice. Thanks to Phil Karn
and Neil Haller for producing the S/Key one-time password system,
which inspired this document.
References
[GM93] Galvin, J. and K. McCloghrie, "Security Protocols for version
2 of the Simple Network Management Protocol (SNMPv2)", RFC 1446,
Trusted Information Systems, Hughes LAN Systems, April 1993.
[Hal94] Haller, N., "The S/Key(tm) One-Time Password System",
Proceedings of the Symposium on Network & Distributed Systems
Security, Internet Society, San Diego, February 1994.
[Riv92] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
MIT Laboratory for Computer Science and RSA Data Security, Inc.,
April 1992.
Author's Address
Daniel L. McDonald
United States Naval Research Laboratory
Code 5544
4555 Overlook Ave. SW
Washington, DC 20375
Phone: (202) 404-7122
EMail: danmcd@itd.nrl.navy.mil
McDonald [Page 3]